A team of scientists from two US universities has devised a method of bypassing ASLR (Address Space Layout Randomization) protection by taking advantage of the BTB (Branch Target Buffer), a component included in many modern CPU architectures, including Intel Haswell CPUs, the processor they used for tests in their research.
ASLR is a security feature included with all major operating systems today, being part of Windows, Linux, macOS, iOS, and Android for many years.
The feature works by taking data objects that are sent to the CPU for processing and assigning them a random address space where they execute inside the computer’s memory (RAM).
Because most “takeover” vulnerabilities rely on corrupting memory data via buffer overflows, an attacker must know how to craft his malicious exploit in order to trick the computer into executing malicious code. To do this, he has to know the address space where an application executes code inside the computer’s memory. This can be determined quite easily by analyzing the app’s source code.
This is where ASLR comes in, scrambling memory addresses and keeping an index. As such, if ASLR works properly, malware or exploit code executes in the wrong memory locations, leaving the computer unharmed.
In a paper released this week, a team of computer science experts says they’ve identified a problem with BTB, a cache system which keeps track of memory locations where previous data has been executed. CPUs use BTBs to speed up operations, and they work just like a browser cache speeds up commonly visited web pages.
Researchers say that BTB is vulnerable to collision attacks, a term used to describe attacks that bombard the BTB with random data until they find the same data already stored in the buffer.
This technique allows the researchers to recover data from the CPU’s kernel that contains ASLR index tables, letting attackers know where a specific app’s code executes so that they can fine-tune their exploits.